The leaked internal chat communications of the Black Basta ransomware group offer an unprecedented view into how cybercriminals operate, plan attacks, and evade detection. 

The Veriti Research team analyzed these chat logs, revealing our favorite exploits, security measures they bypass, and the defenses they fear most. 

Veriti Research analyzed these chat communications, exposing: 

• Targeted Exploits: Black Basta focuses on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, Fortinet firewalls, and Active Directory. 

• Security Evasion Techniques: They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence in compromised networks. 

• Cloud-Based Attacks: The group leverages cloud services for malware hosting, remote access, and command-and-control (C2) infrastructure. 

• Threat Intelligence Awareness: Attackers are keenly aware of security blacklists (Spamhaus, Rapid7) and adjust their tactics to evade detection. 

• Security Defenses That Work: Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. 

Vulnerabilities & Exploits 

ESXi Vulnerabilities 

• The actors discussed a compromised ESXi system that accepted any password, suggesting they targeted misconfigured or vulnerable VMware ESXi servers. 

• They mentioned gathering IP addresses related to Jenkins, which could indicate attempts to exploit misconfigured Jenkins instances. 

Citrix & VPN Exploitation. 

• They shared Citrix VPN credentials, suggesting interest in compromised VPNs and remote access points: 

• The evidences from the discussions shows that the group got access to networks in Mexico, Spain, and US using the two above vulnerabilities 

Fortinet VPN Exploits 

• Exploits related to Fortinet firewalls and VPNs were referenced – Attackers used Fortinet vulnerabilities to gain access to corporate networks 

ProxyShell & Exchange Server Exploits 

• Discussion about Exchange Server vulnerabilities: 
  CVE-2022-41082, CVE-2021-42321, CVE-2021-28482, CVE-2021-26855 но они старые 

• Confirms historical ProxyShell exploitation for Microsoft Exchange Server attacks. 

Zero-Day & Linux Privilege Escalation 

• Linux LPE Exploits (CVE-2024-1086) 

• A zero-day Linux privilege escalation vulnerability was discussed: 
  CVE-2024-1086 Linux LPE  

• Text from the chat: Универсальный эксплойт для повышения локальных привилегий, работающий на большинстве ядер Linux между версиями 5.14 и 6.6, Debian, Ubuntu. 

• This indicates targeting of Linux systems for privilege escalation 

Brute-force on vCenter & ESXi 

• Actors tested brute-force attempts against ESXI – 5 попыток но только с root 

• “vCentre – 4 попытки потом просто надо сбрасывать и заново авторизован” 

• This confirms brute-force attacks on ESXi/vCenter servers to gain admin access. 

Jenkins Exploitation 

• Exploiting Jenkins servers for Remote Code Execution (RCE):nginx 
  “jenkins эксплоит все что делает, это отображает содержание файла” 

• Suggests leverage of Jenkins misconfigurations to exfiltrate credentials and secrets. 

Fortinet VPN & Firewall Exploitation 

• Weak administrator passwords 

• Exposed Fortinet SSL VPN portals 

Black Basta targeted a range of vulnerabilities across VMware ESXi, Citrix VPNs, Fortinet firewalls, Exchange Servers, Jenkins, Active Directory, and RDP. 
They obtained targeted IPs from sources like FOFA, Shodan, and compromised credentials. 

Security Products discussions: 

Black Basta actors frequently discussed security products, including firewalls, endpoint detection and response (EDR) solutions, web application firewalls (WAFs), and cloud security products. Here’s what they mentioned: 

Discussions on Firewalls 

• One of the operators of BlackBasta suggested misconfigured inbound firewall rules might allow bot traffic: 
  может firewall на inbound не настроен 

• Implication: They were likely probing firewall settings to find misconfigurations. 

• An operator suspected that a firewall might be blocking access to a compromised target: 
  может firewall стоит? 

• Implication: Indicates attempts to bypass firewall restrictions. 

Discussions on Endpoint Detection & Response (EDR) 

• Multiple EDR solutions was a part of discussions on bypassing or neutralizing these security solutions. 

• Techniques to bypass EDR 
   Вступить в априорно неравный бой с EDR: анхукать библиотеки, криптовать свой арсенал до посинения, жить с sleep 100500, выполняя по одной команде в сутки. 

• Implication: Attackers unhook security libraries, encrypt their tools, and minimize execution footprints to evade detection. 

• Targeted EDR Vendors 
  EDR killer update. Bitdefender, Sentinel, CrowdStrike, Windows Defender 10/11, Webroot, Kaspersky, Symantec, Sophos. 

• Implication: They likely had a malware component specifically designed to disable multiple EDRs. 

Web Application Firewalls (WAFs) 

• Discussions suggested manipulating web requests to evade Cloudflare and other WAFs: 
  алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизировано 

• Implication: Attackers reverse-engineered Cloudflare’s bot detection mechanisms to mimic legitimate traffic. 

Cloud Security & Services 

• Discussions included compromising cloud environments: 
  Implication: Suggests interest in cloud account takeovers or invoice fraud. 

• RDP logins to cloud-based systems: 

Security Solutions Discussed by Black Basta 

Category	Products Mentioned	Context
Firewalls	Fortinet, Check Point, Palo Alto Security, Juniper	Exploiting misconfigurations, bypassing restrictions
EDRs	CrowdStrike, SentinelOne, Bitdefender, Kaspersky, Sophos	Developing EDR killers, evasion techniques
WAFs	Cloudflare	Mimicking legitimate traffic to bypass defenses
Cloud Security	AWS, Azure, Google Cloud	Targeting cloud accounts, remote access exploitation

Black Basta actors showed significant awareness of modern security defenses and actively worked to bypass them. 

Firewall Evasion Techniques Used by Black Basta 

Black Basta discussed several methods to bypass or exploit firewalls, including zero-day exploits, SSH tunneling, proxychains, and misconfiguration abuse. 

Exploiting Firewall Vulnerabilities 

Juniper SRX Firewall Unauthenticated RCE 

• They purchased or used a zero-day exploit for Juniper SRX firewalls, which granted root-level access. 
  Juniper SRX Firewall Unauthenticated RCE – the attacker used shodan as one of the recon tools 

• https://www.shodan.io/search?query=html%3A%22Juniper+Web+Device+Manager%22 

• Implication: Attackers remotely executed code on Juniper firewalls with zero-click authentication bypass. 

Fortinet FortiOS RCE (CVE-2024-21762) 

• Discussion on Fortinet firewall remote code execution focusing on FortiOS RCE (CVE-2024-21762)” 

• Implication: Attackers used known Fortinet exploits to bypass authentication and execute commands remotely. 

Palo Alto GlobalProtect RCE (CVE-2024-3400) 

• Command injection vulnerability in Palo Alto GlobalProtect - GlobalProtect RCE (CVE-2024-3400)” 

• Implication: This bypass allowed remote execution of commands on vulnerable Palo Alto firewalls. 

“CVE-2024-3400 PALO ALTO PAN-OS RCE 

SHODAN 43k https://www.shodan.io/search?query=+http.favicon.hash%3A-631559155 

This is WORKING EXPLOIT for the vulnerability patched yesterday (15.04), shit on the Github is fake or not working. 

It gives root permissions on the target machine. 

PRICE IS 15k. 3 copies to sell total. 

You put target and command. 

It will autoencode in base64 and send request with some headers that make the exploit.“ 

———————————————————————————————————————————— 

Abusing Firewall Misconfigurations 

Identifying Open Ports & Misconfigured Firewalls 

• Attackers discussed firewall misconfigurations allowing unauthorized access: 
  “может firewall на inbound не настроен” 

• Implication: They attempted to find and exploit improperly configured inbound firewall rules. 

Firewall Evasion Techniques Used by Black Basta 

Method	Details	Example
Exploiting firewall vulnerabilities	Used zero-days for Juniper, Fortinet, and Palo Alto firewalls	CVE-2024-21762, CVE-2024-3400
Proxychains & SSH tunneling	Routed traffic through compromised SSH servers	proxychains
Abusing misconfigured firewalls	Looked for open ports & misconfigurations	Inbound firewall misconfiguration
WAF evasion	Mimicked bot traffic to bypass detection	Reverse-engineering WAF requests
Disabling firewalls manually	Used PowerShell & netsh commands to disable Windows firewalls	netsh advfirewall set allprofiles state off

Black Basta demonstrated advanced firewall exploitation capabilities, using a mix of zero-day vulnerabilities, automated scanning, and exploit purchases. 

Firewall Targeted	Exploited Vulnerability	Attack Vector	Privilege Gained	Exploit Source
Juniper SRX	Zero-click RCE	Command injection, web exploit	Root access	Shodan scanning, PHP payloads
Fortinet FortiOS	CVE-2024-21762	Out-of-bounds write	Full remote code execution	Custom exploit scripts
Palo Alto GlobalProtect	CVE-2024-3400	Command injection	Root access	Purchased for $15,000

———————————————————————————————————————————— 

Discussing taking data from IPS 

Black Basta’s Exfiltration of Intrusion Prevention/Detection System (IPS/IDS) Data 

Black Basta actors discussed stealing logs, bypassing detection systems, and manipulating SIEM solutions to evade forensic analysis and security monitoring. 

1. IDS/IPS Log Exfiltration 

• Attempt to access and extract security logs from an IDS system: 
  “надо будет еще потом когда пробьем эксплойтом их запросить в локальной сети сервер или нет” 

• Implication: They planned to check for IDS/IPS logs on local network servers after gaining access. 

Testing IPS Responses & Adjusting Attacks 

• They actively monitored IPS detection and adapted their methods: 
  “если палит ips, то надо резать пакеты” 

• Translation: 
  “If the IPS detects it, we need to cut up the packets.” 

———————————————————————————————————————————— 

Discussion on Firewall capabilities 

Black Basta actors extensively discussed the capabilities, strengths, and weaknesses of different firewall products, including Juniper, Fortinet, and Palo Alto. Their conversations focused on firewall configurations, vulnerabilities, and ways to bypass protections. 

1. Juniper Firewall Capabilities 

• They analyzed JunOS firewall capabilities, highlighting security mechanisms like Veri-Exec and read-only filesystems:pgsql 

• JunOS is an operating system based on FreeBSD developed by Juniper networks  

• to run on firewall/vpn devices. This OS manages the device and is responsible  

• for operating services. The device is secured in multiple ways like using  

• read-only file systems for packages/binaries in the system as well as veri-exec  

• which disables executing unsigned or unknown binaries. 

• Implication: They researched and documented JunOS security mechanisms before attempting an exploit. 

Weakness in Juniper’s Web Management Interface 

• They identified a logic bug in Juniper’s Web Device Manager (Embedthis Appweb web server) 

• Appweb executes CGI scripts/binaries using the CGI/1.1 standard, but it messes up when exporting environment variables for said scripts/cgis. This appears to be fixed in the latest version of the web server but the version JunOS uses are affected. 

• Implication: Juniper’s outdated Appweb implementation was identified as a security risk . 

Shodan Queries for Juniper Devices 

• They used Shodan to locate exposed Juniper SRX devices:perl 

• Shodan query: Link: https://www.shodan.io/search?query=html%3A%22Juniper+Web+Device+Manager%22 

• Implication: Black Basta actively searched for exposed Juniper firewalls to exploit. 

2. Fortinet Firewall Capabilities 

• They referenced Fortinet firewall documentation while planning an attack 
  Fortinet FortiOS RCE (CVE-2024-21762) 

• A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 6.4.14… 

• Allows attacker to execute unauthorized code or commands. 

• Implication: They analyzed Fortinet security updates and tracked potential exploits. 

Fortinet VPN Discussion 

• A conversation about Fortinet VPN authentication mechanisms 

• а мне от форти нужно 

• Implication: They were likely attempting to bypass Fortinet’s VPN security. 

3. Palo Alto Firewall Capabilities 

• They mentioned Palo Alto’s security posture and visibility: 
  вот как это видят те, кто хостит palo alto 

• Implication: This suggests attackers were monitoring how Palo Alto firewall administrators detect intrusions. 

Attempt to Execute Commands in PAN-OS CLI 

• A message indicated attempts to access Palo Alto’s command-line interface (CLI): 
  сть какой-то доступ к panos cli? 

• Implication: They sought CLI-level access to manipulate firewall rules or disable logging. 

4. General Firewall Discussions 

• Attackers discussed firewall detection and bypass techniques: 
  может firewall на inbound не настроен 

• Implication: They checked for misconfigured inbound rules as a possible entry point. 

Cloudflare Firewall Weaknesses 

• They referenced Cloudflare’s ability to detect bot traffic: 
  алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизировано 

• Implication: Attackers reverse-engineered Cloudflare’s bot detection to bypass its protections. 

Firewalls Discussed & Their Capabilities 

Firewall	Capabilities Discussed	Weaknesses Identified	Implications
Juniper SRX	JunOS security features, Appweb web server	Web interface logic bugs, outdated Appweb version	Attackers exploited JunOS weaknesses to gain root access
Fortinet FortiOS	Fortinet VPN security, admin access control	Known RCE vulnerabilities (CVE-2024-21762), misconfigurations	Attackers had root credentials for Fortinet firewalls
Palo Alto	Firewall visibility & CLI access	Potential CLI command execution	Attackers tested PAN-OS command execution
Cloudflare	Bot detection & traffic filtering	Reverse-engineered bot detection	Attackers mimicked bot traffic to evade detection

Key Takeaways 

1. Juniper SRX – Attackers understood its security mechanisms and found vulnerabilities in outdated web components. 

2. Fortinet FortiOS – They tracked exploits, obtained admin credentials, and looked into VPN security. 

3. Palo Alto PAN-OS – They tested command execution in the firewall’s CLI. 

4. Cloudflare – They reverse-engineered bot detection to evade firewall rules.  

————————————————————————————————————————————— 

OS Level discussions 

Black Basta actively targeted Local Security Authority (LSA) and LSASS (Local Security Authority Subsystem Service) to extract Windows credentials, NTLM hashes, Kerberos tickets, and DPAPI keys. Their discussions and actions suggest systematic exploitation of Windows authentication mechanisms. 

LSA & LSASS Dumping 

• They successfully dumped LSA secrets, machine account hashes, and DPAPI keys:vbnet 

• Implication: They used LSASS memory dumping or registry extraction to obtain: 

• Machine account credentials 

• Default plaintext password 

• Data Protection API (DPAPI) system keys, used to decrypt stored credentials.  

NTLM Hash & SAM Database Extraction 

• They exfiltrated NTLM hashes from the SAM database:css 
  Implication: NTLM hashes can be used for Pass-the-Hash (PtH) attacks . 

LSASS Dumping & Mimikatz Usage – LSASS Memory Dump & Offline Analysis 

• They used Mimikatz and LSASS dumping techniques:lua 
  “Скачиваете dmp файл с вашим названием которое у вас будет, и вот пример запуска скрипта: 

• `python3 dump-restore.py QTNTAPPVCS_10102023_09-32.dmp –type restore` 

• и тогда вы можете открыть этот дамп LSASS” 

• Implication: This suggests they dumped LSASS memory and analyzed it offline using Mimikatz or custom scripts. 

Kerberos Ticket Extraction from LSASS 

• They extracted Kerberos tickets from LSASS memory:csharp 
  Implication: Attackers harvested Kerberos tickets for Pass-the-Ticket (PtT) attacks. 

Attempt to Move Laterally Using Extracted Credentials 

• They tested extracted credentials on a Domain Controller:scss 
  “с этой учеткой попробовал зайти на дц(в момент захода отвалилось)” 

• Implication: They used dumped LSA credentials for lateral movement. 

Conclusion 

LSA & LSASS Exploitation Techniques Used 

Technique	Purpose	Example
LSASS Dumping	Extract plaintext passwords, NTLM hashes, and Kerberos tickets	Mimikatz + LSASS dump restoration
NTLM Hash Extraction	Use for Pass-the-Hash (PtH) attacks	Dumped NTLM hash of Administrator
Kerberos Ticket Theft	Conduct Pass-the-Ticket (PtT) attacks	Extracted cached Kerberos tickets from LSASS
DPAPI Key Theft	Decrypt stored Windows credentials	Dumped DPAPI system keys from LSA

Black Basta heavily relied on LSASS dumping, NTLM hash extraction, and Kerberos ticket harvesting to escalate privileges and move laterally in compromised networks.  

Black Basta’s Use of MSDT (Follina) Vulnerability (CVE-2022-30190) 

Black Basta actors discussed and potentially used the MSDT (Follina) vulnerability in their operations. Their discussions included references to exploits, HTML-based payloads, and remote code execution via Microsoft Office documents. 

Evidence of Follina Exploitation (CVE-2022-30190) 

• Black Basta members listed Follina (CVE-2022-30190) as a key exploit 

• Follina (CVE-2022-30190) 

• Log4Shell (CVE-2021-44228) 

• Spring4Shell (CVE-2022-22965) 

• F5 BIG-IP (CVE-2022-1388) 

• Google Chrome zero-day (CVE-2022-0609) 

• Implication: Follina was among their most valuable exploits, indicating active use or intent to use it. 

2. HTML-Based MSDT Exploit 

• They shared a simple HTML-based attack leveraging Follina:html 
  <html> 

  <body> 

    <script> 

      function exploit() { 

        document.location = “ms-outlook://run-malicious-code”; 

      } 

    </script> 

    <img src=”x” onerror=”exploit()” /> 

  </body> 

</html> 

• Implication: This suggests they used or modified public exploits for Follina, likely to bypass security tools. 

3. Black Basta’s Use of Microsoft Office Macros & Follina 

• They discussed using a specially crafted document to exploit CVE-2022-30190: 
  “не нужен макрос, просто ссылка в docx, и все – код исполняется” 

• Translation: “No macro needed, just a link in the DOCX, and the code executes.” 

• Implication: They leveraged Microsoft Office documents with embedded links to trigger MSDT without user interaction. 

4. Weaponization & Automation of MSDT Exploit 

• A request for automation of exploit document generation: 
  оба сделай 

• Translation: “Make both x64 and x86 versions.” 

• Implication: Indicates an effort to generate exploit variants for different Windows architectures. 

No Need for DLL Sideloading 

• They confirmed that the exploit didn’t require additional payloads: 
  та тут длка не нужна 

• Translation: “No DLL needed here.” 

• Implication: Suggests they found a way to execute malicious code directly using MSDT, without needing extra DLL sideloading. 

Black Basta discussed and likely used the Follina (CVE-2022-30190) vulnerability in their attack chains. Their discussions highlight: 

1. Reliance on MSDT for Remote Code Execution (RCE) 

2. Use of HTML-based exploits to launch attacks. 

3. Embedding Follina payloads in Office documents for macro-less execution. 

4. Efforts to automate exploit generation across x64 and x86 architectures. 

Black Basta’s Use of Restricting Anonymous Enumeration Bypass 

Black Basta discussed and explored methods to bypass anonymous enumeration restrictions in Windows environments, particularly focusing on Active Directory (AD), orphaned SIDs, and enumeration of SMB/NetBIOS shares. 

Bypassing Windows RestrictAnonymous Settings 

• Black Basta discussed limitations when anonymous enumeration is disabled: 
  “У кого-то пробивалось, когда RestrictAnonymous = 1 ?” 

• Translation: 
  “Has anyone managed to get through when RestrictAnonymous = 1?” 

• Implication: They actively tested methods to bypass Windows enumeration restrictions. 

—————————————————————————————————————————————  

Black Basta’s External Reconnaissance Techniques 

Black Basta engaged in external reconnaissance (OSINT) before attacking a network, using tools like Shodan, Censys, FOFA, and Zoomeye to scan public-facing assets, find vulnerabilities, and gather intelligence on exposed services. 

1. Scanning Public-Facing Assets 

• щас я поставлю на скан это 

• Translation: 
  “Shodan and FOFA — I’m setting up a scan now.” 

• Implication: They automated scanning for exposed services . 

• Searching for specific domains and IPs: 
  я в censys вбивал домен 

• Translation: 
  “I entered the domain into Censys.” 

• Implication: Attackers used domain-based reconnaissance to identify linked infrastructure. 

2. Identifying Vulnerable Services 

• They collected credentials for various VPN and remote access services:ruby 
  Implication: Attackers searched for public VPN portals and tested leaked credentials . 

• Shodan queries for identifying vulnerable targets:perl 
  “Targets can be found with google dork/shodan/censys?  

• Yes. Below shodan query: 

• http.html:”<script src=\”/dana-na/\””  

• https://www.shodan.io/search?query=http.html%3A%22%3Cscript+src%3D%5C%22%2Fdana-na%2F%5C%22%22 

• Implication: They specifically searched for Ivanti VPNs and other web-based services vulnerable to pre-auth RCE attacks. 

Black Basta used OSINT and automated reconnaissance tools to identify exposed assets before launching attacks. 

Technique	Purpose	Example
Shodan, FOFA, Censys Scanning	Identify exposed services	Automated scan setup
Brute-Force Subdomain Enumeration	Find hidden services	Recursive port & subdomain scanning
VPN & Remote Access Targeting	Exploit misconfigured VPNs	Collected VPN credentials
Cloud & Virtualization Targeting	Identify exposed ESXi & Jenkins instances	Exported cloud infrastructure scans

—————————————————————————————————————————————  

Attacks from and to the cloud 

Black Basta leveraged cloud services to launch attacks, exfiltrate data, and host malware. They used cloud infrastructure for command-and-control (C2), remote access, and initial footholds in target networks. 

1. Cloud Infrastructure for Malware Hosting 

• Black Basta set up virtual private servers (VPS) to distribute malware: 
  Implication: They deployed malware distribution points on cloud servers, likely used for phishing campaigns . 

• Malware hosted on a cloud server: 
  Implication: They hosted malicious payloads on a rented cloud VPS, making it harder for defenders to track them. 

2. Cloud-Based Command & Control (C2) 

• DNS beacon configurations suggest C2 operations 

————————————————————————————————————————————— 

IoCs and Feeds 

Black Basta actively discussed methods to evade detection based on Indicators of Compromise (IoCs). They analyzed hash evasion, IP reputation bypass, Suricata/Sigma rule evasion, and modifying attack patterns to stay undetected. 

1. Hash & File Signature Evasion 

• Attackers used automated hash-changing techniques: 
  ну md5 шлепает раз в 10 секунд, уже пробовали? 

• Translation: 
  “Well, it changes the MD5 every 10 seconds, have you tried it?” 

• Implication: They implemented an automated process to alter malware hashes, making static detection ineffective. 

2. IP & Domain Reputation Evasion 

• Attackers used dynamic IPs to bypass reputation-based blocking: 
  айпишник меняется каждые 30 минут, если палят. 

• Translation: 
  “The IP changes every 30 minutes if it gets flagged.” 

• Implication: They set up automated IP rotation to avoid blocklisting. 

Black Basta’s Discussions on Threat Intelligence Feeds 

Black Basta members discussed multiple threat intelligence feeds and how they affected their operations. They specifically mentioned Spamhaus, Rapid7, and PT Security, and shared concerns about blacklists, IP reputation tracking, and detection mechanisms. 

1. Threat Intelligence Feeds Mentioned 

Threat Intelligence Feed	Times Mentioned	Context of Discussion
Spamhaus	2	IP reputation blacklisting
Rapid7	2	SIEM-based behavior analysis & detection
PT Security (Positive Technologies)	1	Research on non-standard attack vectors
Human Security Satori	1	Malware detection & tracking
Malwarebytes Threat Intelligence	1	Discussion on Pikabot malware detections

Evasion & Concerns About Intelligence Feeds 

• Attackers discussed Spamhaus blocking their infrastructure 
  15.204.49.234 – чистый   

91.132.139.169 – грязный (Spamhaus)   

Spamhaus – это все ( сразу полный пиздец   

• Translation: 
  “15.204.49.234 – clean 
  91.132.139.169 – dirty (Spamhaus) 
  Spamhaus means game over instantly.” 

• Implication: Spamhaus blacklisting significantly impacted their operations, forcing them to rotate IPs. 

Black Basta’s Concerns About Security Products, Intelligence Feeds & Defenses 

Black Basta members discussed several challenges posed by security products, threat intelligence feeds, and defensive mechanisms. Their primary concerns included endpoint detection & response (EDR) evasion, firewall issues, IP reputation tracking, and automation in security solutions. 

Concerns About Security Products 

Security Product	Concerns & Challenges	Example
SentinelOne	Detection of payload execution, bypass failures	Payload flagged immediately
CrowdStrike	Rapid SOC alerting & behavior-based detection	Falcon detects abnormal process spawning
Microsoft Defender	Strong signature-based detection, bypass difficulties	Signed loaders fail, AV catches process injection
Trend Micro	False positives affecting operations	Detection even without known malware signatures
Palo Alto Networks	GlobalProtect VPN detection blocking remote access	Cloud-based Palo Alto blocks unauthorized tunnels
Fortinet	Firewall policies preventing initial access	FortiGate blocks suspected traffic quickly
Comodo	Aggressive detection of unsigned binaries	Unsigned payloads fail against Comodo security
Rapid7	Behavioral analytics in SIEM blocking lateral movement	SIEM rules block unexpected admin logins

2. Concerns About Threat Intelligence Feeds 

Threat Intelligence Feed	Concerns & Challenges	Example
Spamhaus	IPs getting blacklisted quickly, requiring rotation	Blacklisting leads to immediate shutdown of infrastructure
PT Security (Positive Technologies)	Publication of attack vectors reducing exploit success	PT Security research leaks information on attack methodologies
Human Security Satori	Identifying malware infrastructure, forcing adjustments	Satori tracking payloads, requiring obfuscation

3. Concerns About Defense Capabilities 

Defense Mechanism	Concerns & Challenges	Example
Firewall Restrictions	Blocking C2 communications & VPN connections	Fortinet & Palo Alto firewalls cutting off access
EDR Heuristics	Detecting unusual execution patterns	SentinelOne & CrowdStrike flagging new persistence methods
Cloud Security Policies	Locking down RDP & blocking lateral movement	Azure & AWS security rules preventing lateral RDP attacks
Threat Intelligence Automation	Rapid sharing of new IoCs & IP blacklisting	Spamhaus & Rapid7 blocking attack infrastructure within hours

Black Basta Operations Disrupted by Security Controls 

Black Basta experienced multiple failed or disrupted operations due to security defenses, including firewalls, EDR detections, SIEM analytics, and IP blacklists. These incidents forced them to abandon attacks, change tactics, or reconfigure their infrastructure. 

————————————————————————————————————————————— 

Firewall & Network Security Blocking Operations 

• Several remote desktop (RDP) and VPN sessions were blocked, halting access 
  Implication: Organizations implemented strict RDP access controls, blocking their remote sessions. 

Firewall Blocking Command & Control (C2) 

• Firewalls prevented outbound connections, disrupting their botnet: 
  ну мой сервак не подключается к тебе получается 

• Translation: 
  “Well, my server isn’t connecting to you.” 

• Implication: Firewalls blocked outbound C2 connections, stopping communication between infected systems . 

• Attempts to reconfigure firewalls to bypass blocking: 
  проапдейтим firewall 

• Translation: 
  “We’ll update the firewall.” 

• Implication: They attempted to adjust their network settings to bypass security rules. 

————————————————————————————————————————————— 

SIEM & Threat Intelligence Disrupting Operations 

• Spamhaus blacklisted their infrastructure, cutting off operations 
  91.132.139.169 – грязный (Spamhaus)   

• Spamhaus – это все ( сразу полный пиздец   

• Translation: 
  “91.132.139.169 – dirty (Spamhaus). 
  Spamhaus means game over instantly.” 

• Implication: Being flagged by Spamhaus rendered their infrastructure useless, forcing them to rotate servers. 

Black Basta’s Operations Disrupted by Security Controls & Their Reactions 

Black Basta members faced multiple instances where security products, firewalls, and EDR solutions disrupted their attacks. They expressed frustration, anger, and sometimes panic when security defenses blocked payloads, detected malware, or cut off access. 

Operations Stopped by Security Controls 

Security Control	Impact on Attack	Example
Firewalls (Fortinet, Palo Alto)	Blocked RDP & C2 connections	“Firewall blocks inbound, can’t connect”
Symantec Endpoint Protection	Outgoing connections blocked	**”Falcon, no way to attack 🙁
SentinelOne EDR	Stopped malware execution	“S1 just kills everything. No way to get past without custom bypass.”
CrowdStrike Falcon	Detected process injections	“Falcon sees everything. Fucking hell.”
Trend Micro XDR	Blocked lateral movement	“Trend catches it even without a signature. What the fuck?”
Cisco Secure Endpoint	Killed payload on execution	“Cisco blocked the entire payload. Need another approach.”
Microsoft Defender	AV detections breaking persistence	“Windows Defender Endpoint clean? Impossible.”

Frustration & Anger at Getting Caught 

• Symantec blocking outbound connections 
  Falcon, no way to attack 🙁 | outgoing connection blocked by Symantec 

• Implication: Attackers were frustrated that Symantec prevented outbound C2 connections. 

• SentinelOne’s aggressive detections: 
  S1 просто убивает всё. Никак не обойти без своего обхода. 

• Translation: 
  “S1 just kills everything. No way to get past without custom bypass.” 

• Implication: They were angry that SentinelOne blocked their tools completely. 

Black Basta expressed anger and frustration when their operations were blocked by firewalls, EDRs, SIEMs, and endpoint security solutions. 

What Stopped Them?	Reaction
SentinelOne EDR	“It kills everything. No way around it.”
CrowdStrike Falcon	“Falcon sees everything. Fucking hell.”
Symantec Endpoint	“No way to attack, outbound blocked.”
Trend Micro XDR	“How does it catch this? It shouldn’t.”
Cisco Secure Endpoint	“Cisco blocked the whole payload.”
Firewalls (Palo Alto, Fortinet)	“Firewall blocks inbound, can’t connect.”

Operations Stopped Due to Security Controls 

Security Product / Control	Issue & Consequence	Example
Firewall (Inbound Rules)	Prevented connection to their command-and-control (C2) server	“ну мой сервак не подключается к тебе” (my server can’t connect to you)
SIEM (Rapid7 InsightIDR)	Behavior-based analytics blocked lateral movement	“Rapid7 расставляет ловушки и ловит нелегальные вторжения” (Rapid7 sets traps and detects unauthorized intrusions)
SentinelOne & CrowdStrike	Blocked execution of malware loaders	“фалкон не поддержтвается” (Falcon is not supported, meaning bypass failed)
Cisco Secure Endpoint	Killed beacon connection, preventing persistence	“это Cisco Endpoint Security” (This is Cisco Endpoint Security stopping it)
Trend Micro XDR	Unexpected false positives & inconsistent detection behavior	“там у тренд микро разные” (Trend Micro has different detection methods, it’s unpredictable)

Anger & Frustration Over Being Detected 

Frustrated Statement	Context	Implication
“ЖОООСТКО” (F***ing brutal!)	Reaction to failed evasion attempt	Attack was blocked
“Вступить в априорно неравный бой с EDR” (Engaging in an unfair fight with EDRs)	Complaints about difficulty bypassing security	Required extensive obfuscation to work
“каждый шаг как последний” (Every step feels like the last)	Fear of detection	They struggled to remain undetected
“бля проверить хотел хуйню одну” (Damn, I wanted to test something!)	Failed execution of a payload	Security controls blocked their test
“боты живые?” (Are the bots still alive?)	Checking if EDRs killed their malware	Fear of losing access

Frustrations When Caught by Security Products 

• A member was frustrated after being blocked by multiple EDRs: 
  я норм прыгал на рапид. проблем не было.   

• не давал читать карбон и типа фалкон сотоварищи   

• Translation: 
  “I was moving fine on Rapid, but Carbon Black and Falcon (CrowdStrike) didn’t allow execution.” 

• Implication: SentinelOne, Carbon Black, and CrowdStrike blocked execution attempts, causing setbacks. 

McAfee Causing Issues Across Multiple Systems 

• McAfee’s presence annoyed them: 
  макафи ещ в довесок везде 

• Translation: 
  “McAfee is everywhere too, as an extra problem.” 

• Implication: They found McAfee difficult to bypass, indicating widespread deployment. 

Trend Micro’s Unreliable Scanning 

• Frustration over Trend Micro’s inconsistent detections: 
  там проверка хуй пойми 

• Translation: 
  “That check is f***ed up.” 

• Implication: They found Trend Micro’s detection mechanism unpredictable, making evasion difficult. 

————————————————————————————————————————————— 

Black Basta’s Collection of Vulnerability Data from Security Scanners 

Black Basta actively sought and collected vulnerability data from various security scanners, including Nessus, Qualys, and Rapid7 Nexpose. They used this information to identify exploitable weaknesses and tailor their attacks accordingly. 

Using Public Exploit Scanners 

• Attackers used open-source scanners to find vulnerable systems: 
  с шодана   

• Translation: 
  “From Shodan.” 

• Implication: They collected vulnerability data using Shodan to identify exposed systems. 

Targeting Misconfigured Nessus & Qualys Scanners 

• There were indications they searched for misconfigured scanners: 
  можно поставить на скан   

• Translation: 
  “We can set up a scan.” 

• Implication: They may have attempted to exploit misconfigured Nessus or Qualys instances . 

The insights gained from Black Basta’s leaked chat logs serve as a wake up call for organizations worldwide. These attackers are not casual hackers—they are highly coordinated, well funded, and continuously refining their methods. 

However, our research also reveals clear opportunities to disrupt their operations: 

• Patching vulnerabilities remains the #1 defense. Many of Black Basta’s successful intrusions stem from known exploits (CVE-2024-1086, CVE-2024-21762, ProxyShell, Follina, Fortinet RCEs, etc.) that organizations fail to patch. 

• EDR solutions like CrowdStrike, SentinelOne, and Trend Micro are major barriers to attackers. Black Basta members frequently complain about EDR detections, process injections being blocked, and their malware failing to execute. 

• Firewalls and SIEM analytics are major roadblocks. Attackers struggle when firewalls block RDP sessions, SIEM solutions detect lateral movement, or threat intelligence platforms blacklist their infrastructure. 

• Cloud security remains an underestimated risk. Black Basta abuses AWS, Azure, and Google Cloud for malware distribution and remote access, highlighting the need for strong cloud monitoring and access controls. 

Cybercriminals like Black Basta thrive on misconfigurations, unpatched systems, and weak security policies. Organizations that stay ahead of emerging threats, enforce strict access controls, and deploy behavior based security solutions will have the best chance of stopping these attacks before they escalate. 

The post Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats   appeared first on VERITI.

*** This is a Security Bloggers Network syndicated blog from VERITI authored by Veriti Research. Read the original post at: https://veriti.ai/blog/inside-the-minds-of-cybercriminals-a-deep-dive-into-black-bastas-leaked-chats/